Last week, the EU and the US finally struck a new deal on data sharing designed to protect EU citizens’ data when transferred across the Atlantic. The so-called ‘Privacy Shield’ deal replaces the ‘Safe Harbor’ agreement that stood for more than 15 years before being struck down by a court last October. The decision left thousands of businesses – especially those reliant on the cloud – scrambling to figure out how to legally operate data transfers, while US and EU regulators spent the last three months hammering out the terms of Privacy Shield. But there are already questions being raised about the new agreement. The language used in the official announcement is woolly at best and there are fears that the deal has a number of flaws which can raise further legal challenges in the future.
So how is this relevant to the events industry? Events deal with highly sensitive delegate information – from names, addresses and employment information to things like gender, disabilities and dietary preferences. Up until last year, the pact made it relatively easy for any company hosting events to legally store EU delegate information in US data centres. However, with the absence of Safe Harbor and a general lack of certainty around the new deal, there is still little to prevent European Data Protection Agencies from taking enforcement actions against companies suspecting of breaching European law. Storing EU delegate data in the US can still put organisations at risk.
What Was Safe Harbor?
The Safe Harbor agreement allowed US companies to transfer European citizens’ data to America, provided the location it was being sent to had the privacy conditions that met EU standards. It was first put in place in 2000, because the US does not have one single federal law regulating data storage. Its constitution does offer some protection to US citizen data, but it provides no assurances for foreign citizens. It is an important agreement for thousands of companies operating in Europe.
Why Was the Agreement Ruled ‘Invalid’?
When former National Security Agency (NSA) contractor, Edward Snowden, made revelations in 2013 about the US surveillance system, an Austrian student filed a complaint against Facebook to the Irish data protection authority. He claimed Snowden’s claims confirmed that Facebook wasn’t sufficiently protecting user data as the NSA was carrying out mass surveillance on technology companies. The case went all the way up to EU’s top court, which in October 2015 said that the Safe Harbor agreement was no longer valid because US public authorities were able to access EU citizen data and individuals had no means of getting any compensation for any misused data. Since then, the US and EU have had to renegotiate a new data sharing agreement that allows data flows across the Atlantic to continue without breaking the law.
How is New Deal Different?
Under the terms of the new deal – which are still being negotiated – the US will give an annual written commitment that it won’t indulge in mass surveillance of EU citizens, and this will be audited by both sides once a year. US companies wishing to import EU citizens’ data must also give robust obligations on how personal data is processed, and comply to the same standards as European data protection laws. But there are already fears that the deal may be too broad for some to swallow. Ashley Winton, UK Head of data protection and privacy at lawyers, Paul Hasting LLP said: “The results of months’ worth of negotiation appears weak, and if adopted we are likely to see further legal challenge in the European courts” .
Why Is This Data-Sharing Deal So Important for Your Events?
If you are hosting events in Europe, find out where your delegate data is being stored – if you don’t already know. If it’s within the EU, then you shouldn’t have any concerns. If it is in a US data centre, you need to make sure that you have the correct mechanisms and methods in place to legally transfer data to the US from Europe. This not only applies to the data you store within your organisation but more importantly, the third-party IT systems that also have access to your event and delegate data. This includes vendors that supply you with registration systems and event apps to business systems like CRM and finance packages that may be integrated with your event management software.
Find out exactly how these organisations are safeguarding your delegate data and keeping it private. Find out where they are storing your data – especially from those US-based companies who are heavily reliant on the cloud. There are many cloud providers which operate solely within the bounds of the European Union, but there are many out there who operate through their large data centres in the US – which would mean the new ‘Privacy Shield’ deal applies to them. Find out the physical location of their cloud servers. Find out if they contract their support services outside the EU. Find out who has access to your delegate data, and what kind of security policies they have in place. Find out if your data is encrypted and whether or not they adhere to EU Data Protection regulations. Solutions could involve drafting new contractual agreements with delegates, encrypting US servers and building EU-based servers and support centres.
The Road Ahead
The uncertainty around the new deal may still mean that the movement of data from the EU to the US can become a legal matter if EU delegates have grounds to believe their consent for data storage and usage has not been agreed. Companies may be able to transfer data if they have free and informed consent of users and this gives event planners another thing to think about before moving their data outside the EU.
As the terms of the new, safer ‘Safe Harbor’ get ratified by EU members, the current legal limbo may close up soon enough. Last month, the US passed the Judicial Redress Act – a necessary step to achieving the new deal – which provides a path for EU citizens to sue over privacy complaints in the US. However, it also passed a last minute Republican amendment that provides for an exception on national security grounds – which undermines the entire point of the whole measure. So as it stands, there are still no guaranteed assurances for businesses wanting to export data from Europe to the US right now. What we can be sure of is that the ending of Safe Harbor and the announcement of Privacy Shield should pave the way for a new era in transparency from companies on how they use customer information and how we define data ownership.
Written by Steve Baxter, CTO, Eventsforce
The Register: Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal (includes comments from former Gartner Vice President, French Caldwell)
The Register: Safe Harbor ripped and replaced with Privacy Shield in last-minute US-Europe deal
Source: CNBC ‘US and EU in data privacy clash: what you need to know’